Question posted in 
I need the end-to-end encryption, so current the setup is:
example.com -> Route53 -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed
Is it possible to do something like:
example.com -> Route53 -> CloudFront -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed
When I’m attaching the same certificate to CloudFront, I’m getting a 502 CloudFront error. I listed example.com in Alternate Domain Names and LB DNS name mylb123.elb.us-east-2.amazonaws.com as Origin Domain Name. Documentation says that Origin Domain Name should match one of the names in SSL certificate that is assigned to the origin, but the SSL was provisioned for real domains like example.com, for sure it does not include *.elb.us-east-2.amazonaws.com etc. This confuses me.
Can you please suggest on how to setup SSL on CloudFormation side or passthrough it and handle SSL on Ingress side?
Update:
The SSL certificate is issued by DigiCert, it’s not self-signed.
2
Answers
I found the resolution in a non-related question.
To make SSL work without
502 ERROR The request could not be satisfiederror, I had to specify my domain (e.g.example.com) as Alternate Domain Name in CloudFront distribution, attach the SSL certificate provisioned forexample.comand, very important, whitelistHostheader in the cache behavior. This makes SSL handshakes work between CloudFront and Nginx.For your origin, in your case instance, you must have valid public SSL certificate. It can’t be self-signed. This means that you need to have a proper, public domain for which you register such a certificate.
AWS ACM free SSL certs do not work with instances, unless in enclate, so you have to use a third party to get such an SSL certificate. Popular choice is https://letsencrypt.org/. Alternatively, you can front your instance with ALB and get free SSL from ACM.